Ever since Adam Smith observed the “invisible hand” at work, companies have tried to exploit every competitive advantage available to boost profits and increase shareholder value. In the early 20th century this impulse drove firms to house all aspects of production and management under one roof. These massive integrated companies, symbolised by multinational oil firms such as BP, eventually became too large and unwieldy to compete in the global marketplace. Outsourcing was born. Our new report looks at what role internal audit can play in providing assurance on outsourced services.
Today it is not only private companies that seek to outsource services to other firms. The UK government doubled the amount it spent on outsourced services between 2010 and 2014 to around £90bn. However, commissioning organisations have found that, although a range of services can be outsourced, from production to IT support, some risks – especially to their reputations – still remain. You can’t completely outsource risk.
There are numerous examples of organisations that have not adequately managed risk to their reputation inherent in their agreements with suppliers. The UK government has suffered reputational damage from problems with suppliers, for example with G4S during the 2012 Olympics and with Atos for the Department for Work and Pensions’ work capability assessments. The slew of companies that have been criticised for employing suppliers with poor worker conditions includes the world’s largest company (by market capitalisation), Apple.
Firms can be engaged in complex supply networks that span continents. But at the heart of any outsourcing activity lies the formal relationship between the commissioning organisation and the supplier. Internal audit can provide an advisory service and independent assurance at each stage of the procurement process. Internal audit’s role will depend on the perceived risk it presents to the organisation, the board’s risk appetite and the cost and complexity of the outsourced service.
Internal audit should be involved as early as possible in an organisation’s procurement cycle. The organisation should use a recognised process to complete a feasibility study to show that there is a clear business case aligned to the strategic objectives of the organisation. Where this process is absent, internal audit can work in an advisory capacity to help establish an effective framework.
Internal audit can review the organisation’s tendering and supplier selection process, assuring the board that they have adequate and effective policies in place to choose the right supplier. So-called “right to audit” clauses ensure that evaluation and monitoring of the third-party provider can take place. As the contract is drafted, internal audit can examine the performance management arrangements in place and advise on whether they are appropriate. Auditors can also work with other assurance providers such as operational managers and compliance professionals to ensure coordination and that duplication is avoided.
As part of our research we present case studies that show how internal audit can get involved at all stages of the procurement cycle. We spoke to private companies and government departments including the BBC, the Home Office, Crossrail and EDF Energy. Contracts will occupy more of internal auditors’ time as organisations learn the benefits of receiving independent assurance on contracts. The institute will follow developments in this area closely as auditors get to grips with auditing more complex outsourcing arrangements.